Article by
Gildas Jones

GDPR (General Data Protection Regulation) governs data protection in the EU and EEA (the European Economic Area, which includes the member states plus Iceland, Liechtenstein and Norway). And WhatsApp, it turns out, isn’t looking very compliant.

9/1/2020

WhatsApp is not GDPR compliant (so don’t use it for business)

WhatsApp is not GDPR compliant (so don’t use it for business)

About 2 billion people around the world use WhatsApp as their go-to messaging app.

Roughly 5 million people specifically use WhatsApp Business, the business spin-off. But many millions more use the standard WhatsApp to contact business clients and communicate with their employees. To do this, they allow the app to access their contacts on their work mobiles.

And here’s where there is a big problem waiting in the wings.

Because the GDPR (General Data Protection Regulation) governs data protection in the EU and EEA (the European Economic Area, which includes the member states plus Iceland, Liechtenstein and Norway). And WhatsApp, it turns out, isn’t looking very compliant.

Here’s what we know:

WhatsApp and your data

1) You share data about everyone in your contacts

The first time you use WhatsApp after downloading and installing it, you’re prompted to agree to a little statement which tells you “WhatsApp would like to access your contacts”.

The small print tells you that this means you will “Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends”.

For personal use, this might seem not ideal from a privacy standpoint but fairly innocuous. When it comes to using WhatsApp for business however, this is just painted all over in GDPR red flags.

2) WhatsApp stores all of that data on their servers

The operative word here is “all”. Because you’re not just sharing your own information. You’re not only sharing the information of other people who have WhatsApp accounts (and who presumably also agreed to this).

You’re sharing the details of everyone in your contacts. Even people who don’t use WhatsApp – or might even have only the haziest notion what a “WhatsApp” even is.

But because you have their details in your contacts – their name, mobile number, home number, email address, perhaps other details about their business – you are agreeing to give that data to WhatsApp.

3) How does WhatsApp use my data?

This is where we’re slightly in supposition territory. We can’t tell exactly how WhatsApp processes data (which is a key part of whether it’s technically violating GDPR).

It must process peoples’ mobile phone numbers in order to determine whether they have a WhatsApp account to allow you to “quickly get in touch with your friends”. But does it “process” the other data which might be attached to that mobile phone number entry in your contacts? Things like the names and addresses of people who don’t use WhatsApp?

Processing the mobile number with no other data attached might be defensible according to the GDPR. Processing the data of people (which you have supplied) who don’t use the app and haven’t agreed to have their data use almost certainly is not.

WhatsApp and GDPR

Is it possible that WhatsApp somehow manages to have all of the details contained in your contacts on its servers, display those details when required and not store that information or organise it?

It doesn’t seem that likely. Plus, there’s an important stipulation in the GDRP that says personal data about a person should not be able to be used to identify them.

As WhatsApp appears to hold a person’s name, address, email addresses and employer, it certainly seems like there might be some level of danger that this information could be used to identify them.

After all, this is the kind of data which is usually termed “identifying information”.

How is WhatsApp getting away with this?

Surprisingly easily. Legal scholars have taken a quick peruse of WhatsApp’s terms of service and found a little clause which states that “You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us.

It has been pointed out that this pretty neatly offloads liability to anyone who chooses to use WhatsApp’s services for business purposes.

So if you use WhatsApp for business and you come up against a GDPR problem, WhatsApp can simply point the finger at you and say that you were in breach of its terms and conditions all along.

What can I use instead of WhatsApp?

The growing awareness that WhatsApp is not GDPR compliant has led businesses around the world to start searching for alternatives.

Some goals when choosing between these alternatives will be to:

  1. Keep the personal data of your team, the people you work with and your clients safe
  2. Protect yourself from potential GDPR problems in the future

Slack and Microsoft Teams (part of Microsoft Office 365) are the clear winners in this field when it comes to office communications. They’re both designed for business use and are trusted by millions. Half a million different organisations, in Teams’ case.

If you’re looking for a good WhatsApp alternative for business, look no further.

Want to get vital cybersecurity news like this dropped into your inbox each month?

Sign up to our newsletter. We only send one once a month and it’s always super-relevant cyber stuff.

You can also chat with one of our cybersecurity consultants about the way your business does things right now. We already advise nearly one thousand businesses in and around Bristol about their cybersecurity needs.